Friday, April 04, 2008

Unbelievable. I spent the better part of 2 hours tonight trying to figure out why my firewall was sending traffic to the wrong destination. Not to go into excessively boring details, but our Internet provider (who shall rename nameless) which we are phasing out provided us with a set of IP addresses using a subnet mask that gives us about 14 addresses to use. Oddly, the addresses we needed to use were getting routed to our new Internet provider and then dropped by the firewall as "spoofs". I could not figure it out until I looked closely at the mask and found that our destination IP, which we've been using for years, wasn't in the range given to us. Upon further investigation, I found routes on our external router that routed 5 additional addresses, including the one we were trying to use, to us.

Why on God's green earth this ISP chose to route us 14 addresses + 5 instead of giving us a larger subnet mask is beyond me. Either they did give us a larger mask and never told anyone and didn't configure the router correctly, or they're just crazy.

Either way, check your subnet masks, kids. Our firewall was doing exactly what it should have done, only it took a lot of looking to see why.